Server aholed after ASL update?

aslus maximus · Fri Mar 22, 2013 7:32 pm

Ok I think I got. I'll snoop around for another kernel.

Thanks

aslus maximus · Mon Mar 25, 2013 1:25 pm

I followed that wiki about adding advanced rules and at the end it says to add a drop rule for everything using insert? When I did that using insert the drop rule was at the top and blocked everything. I left it out because there was a drop rule at the bottom for lo then I got to thinking I better add a drop with append or rule number for everything else.

Here are my rules I ended up with. I think they right but not sure about the drop rules because of that wiki guide. Is the wiki right? The drop should not be at the top from what I understand.

[root@CGN003 ~]# iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
ASL-ACTIVE-RESPONSE all -- 2.93.222.52 0.0.0.0/0
ASL-ACTIVE-RESPONSE all -- 175.44.2.128 0.0.0.0/0
ACCEPT tcp -- 86.40.237.233 0.0.0.0/0 tcp dpt:8880 state NEW
ACCEPT tcp -- 86.40.237.233 0.0.0.0/0 tcp dpt:8447 state NEW
ACCEPT tcp -- 86.40.237.233 0.0.0.0/0 tcp dpt:8443 state NEW
ACCEPT tcp -- 86.40.0.0/13 0.0.0.0/0 tcp dpt:24555 state NEW
ASL-ACTIVE-RESPONSE all -- 216.224.164.87 0.0.0.0/0
ASL-GEO-BLACKLIST all -- 0.0.0.0/0 0.0.0.0/0
ASL-BLACKLIST all -- 0.0.0.0/0 0.0.0.0/0
ASL-PORTSCAN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x37
ASL-PORTSCAN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x2B
ASL-PORTSCAN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x29
ASL-PORTSCAN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x1A
ASL-PORTSCAN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x0A
ASL-PORTSCAN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x0D
ASL-PORTSCAN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x1C
ASL-PORTSCAN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x03
ASL-PORTSCAN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x00
ASL-PORTSCAN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x3F
ASL-PORTSCAN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x3F
ASL-PORTSCAN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x00
ASL-PORTSCAN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x01
ASL-PORTSCAN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x29
ASL-PORTSCAN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x29/0x29
ASL-PORTSCAN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x22/0x22
ASL-PORTSCAN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x11/0x01
ASL-PORTSCAN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x18/0x08
ASL-PORTSCAN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x06
ASL-PORTSCAN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x05/0x05
ASL-PORTSCAN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x03/0x03
DROP all -- 0.0.0.0/0 0.0.0.0/0 state INVALID
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:30000 state NEW
ASL-TORTIXD-ACL tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:30000 state NEW
ASL-Firewall-INPUT all -- 0.0.0.0/0 0.0.0.0/0
DROP all -- 0.0.0.0/0 0.0.0.0/0 state NEW

Chain FORWARD (policy ACCEPT)
target prot opt source destination
DROP all -- 0.0.0.0/0 0.0.0.0/0 state INVALID

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ASL-UPDATES tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 state NEW
DROP all -- 0.0.0.0/0 0.0.0.0/0 state INVALID
ASL-Firewall-OUTPUT all -- 0.0.0.0/0 0.0.0.0/0

Chain ASL-ACTIVE-RESPONSE (3 references)
target prot opt source destination
DROP all -- 0.0.0.0/0 0.0.0.0/0

Chain ASL-BLACKLIST (1 references)
target prot opt source destination

Chain ASL-Firewall-INPUT (1 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 255
ACCEPT esp -- 0.0.0.0/0 0.0.0.0/0
ACCEPT ah -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:25
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:53
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:143
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:443
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:465
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:587
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:993
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:995
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 5 LOG flags 7 level 6 prefix `DROP_ASL_INPUT '
DROP all -- 0.0.0.0/0 0.0.0.0/0

Chain ASL-Firewall-OUTPUT (1 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:25
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:443
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:465
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:53
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:5224
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:24555
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 5 LOG flags 7 level 6 prefix `ASL_OUTPUT '
REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 reject-with tcp-reset

Chain ASL-GEO-BLACKLIST (1 references)
target prot opt source destination

Chain ASL-PORTSCAN (21 references)
target prot opt source destination

Chain ASL-TORTIXD-ACL (1 references)
target prot opt source destination
ACCEPT tcp -- 86.40.237.233 0.0.0.0/0 tcp dpt:30000 state NEW
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 5 LOG flags 7 level 6 prefix `DROP_ASL_TORTIX '
DROP all -- 0.0.0.0/0 0.0.0.0/0

Chain ASL-UPDATES (1 references)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 80.82.124.228 tcp dpt:443 state NEW
ACCEPT tcp -- 0.0.0.0/0 69.20.6.166 tcp dpt:443 state NEW
ACCEPT tcp -- 0.0.0.0/0 74.208.195.110 tcp dpt:443 state NEW
ACCEPT tcp -- 0.0.0.0/0 208.68.233.251 tcp dpt:443 state NEW
ACCEPT tcp -- 0.0.0.0/0 74.208.112.216 tcp dpt:443 state NEW
ACCEPT tcp -- 0.0.0.0/0 74.208.166.51 tcp dpt:443 state NEW
ACCEPT tcp -- 0.0.0.0/0 198.71.51.132 tcp dpt:443 state NEW
[root@CGN003 ~]#

Unread post by **mikeshinn** » Mon Mar 25, 2013 6:59 pm

When I did that using insert the drop rule was at the top and blocked everything.

You want to use append.

From the firewall rule documentation:

Step 5: Select the command, Append or Insert. In the Linux firewall, Append means to add the rule after all other rules. Linux firewalling is linear, that means it processes the rules in order "first come first served". Appending places it last. Insert places the rule first. With insert you can also set the rule number in case you prefer that the rule run second, third, etc. Be very careful with Insert as you can end up setting you rules up in the opposite order of what you want (for example, putting your drop rules before your allow rules).

aslus maximus · Tue Mar 26, 2013 12:44 pm

Yes I read that but I was following these instructions and it says insert the drop rule after adding all my accept rules. Not sure if it's a mistake but it tripped me up the first time so I thought I better let you know just in case so other newbs don't get confused.

blah...
Step 11: Continue adding ACCEPT rules for all the IPs and/or networks you want to allow by repeating Steps 1-10.

Step 12: If you are done adding IPs and/or networks to allow, now you will add in your rule to block all other IPs/Networks. Click the "Add Rule" button.

Step 13: For table, select filter.

Step 14: For Chain select "INPUT"

Step 15: For command select "Insert"

Step 16: For protocol select tcp in the drop down, and leave the first drop down as "-".

Step 17: Type in the source IP/Network for this rule. If you want to block all sources, just leave this blank.

Step 18: In the Destination port window type in the port number you wish to block. For example, if you want to block connections to port 22, type in 22. Leave the first drop down as "-".

Step 19: Set the "Jump Target" to "DROP" or "REJECT". DROP will silently block the attempt so the client is not sure why it was blocked, REJECT will send ICMP destination denied packets to the client applications network stack telling the stack that the connection was dropped at the network level.

Step 20: Then press the Add Rule button.

Your new ruleset to restrict access to a port, except from certain IPs/Networks is now implemented.

Your new rule is now implemented.

https://www.atomicorp.com/wiki/index.ph ... le_Manager

Anyway. This first drop rule is for the network card lo according to the ui, I'm pretty sure it came from the access list so I thought I better add another one at the bottom to drop everything else. That's ok like that isn't it or do I only need to drop everything from lo? I guess invalid means the lo interface?

DROP all -- 0.0.0.0/0 0.0.0.0/0 state INVALID
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:30000 state NEW
ASL-TORTIXD-ACL tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:30000 state NEW
ASL-Firewall-INPUT all -- 0.0.0.0/0 0.0.0.0/0
DROP all -- 0.0.0.0/0 0.0.0.0/0 state NEW

Unread post by **mikeshinn** » Tue Mar 26, 2013 5:18 pm

Yes I read that but I was following these instructions and it says insert the drop rule after adding all my accept rules. Not sure if it's a mistake but it tripped me up the first time so I thought I better let you know just in case so other newbs don't get confused.

Yep, its not clear in that part of the guidance and I can see how it would confuse someone, so we updated it. Thanks for bringing it to our attention.

craigedmonds · Thu Sep 19, 2013 11:47 am

Hi,

I have followed the steps and now in my Security Events log its triggering event 4151 even though I do have FW_DROP_INVALID set to yes.

Is this something I need to address or can I set the rule to not log these entries?

Code: Select all

montague kernel: DROP_ASL_INPUT IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:1e:c9:bb:96:84:08:00 SRC=109.75.164.152 DST=109.75.164.255 LEN=139 TOS=0x00 PREC=0x00 TTL=128 ID=19755 PROTO=UDP SPT=17500 DPT=17500 LEN=119Sep 19 16:43:12 montague kernel: DROP_ASL_INPUT IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:1e:c9:bb:96:84:08:00 SRC=109.75.164.152 DST=109.75.164.255 LEN=139 TOS=0x00 PREC=0x00 TTL=128 ID=19754 PROTO=UDP SPT=17500 DPT=17500 LEN=119Sep 19 16:43:12 montague kernel: DROP_ASL_INPUT IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:1e:c9:bb:96:84:08:00 SRC=109.75.164.152 DST=109.75.164.255 LEN=139 TOS=0x00 PREC=0x00 TTL=128 ID=19753 PROTO=UDP SPT=17500 DPT=17500 LEN=119Sep 19 16:43:12 montague kernel: DROP_ASL_INPUT IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:1e:c9:bb:96:84:08:00 SRC=109.75.164.152 DST=109.75.164.255 LEN=139 TOS=0x00 PREC=0x00 TTL=128 ID=19752 PROTO=UDP SPT=17500 DPT=17500 LEN=119Sep 19 16:43:12 montague kernel: DROP_ASL_INPUT IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:1e:c9:bb:96:84:08:00 SRC=109.75.164.152 DST=255.255.255.255 LEN=139 TOS=0x00 PREC=0x00 TTL=128 ID=19751 PROTO=UDP SPT=17500 DPT=17500 LEN=119Sep 19 16:42:41 montague kernel: DROP_ASL_INPUT IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:1e:c9:bb:96:84:08:00 SRC=109.75.164.152 DST=109.75.164.255 LEN=139 TOS=0x00 PREC=0x00 TTL=128 ID=19590 PROTO=UDP SPT=17500 DPT=17500 LEN=119Sep 19 16:42:41 montague kernel: DROP_ASL_INPUT IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:1e:c9:bb:96:84:08:00 SRC=109.75.164.152 DST=109.75.164.255 LEN=139 TOS=0x00 PREC=0x00 TTL=128 ID=19589 PROTO=UDP SPT=17500 DPT=17500 LEN=119Sep 19 16:42:41 montague kernel: DROP_ASL_INPUT IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:1e:c9:bb:96:84:08:00 SRC=109.75.164.152 DST=109.75.164.255 LEN=139 TOS=0x00 PREC=0x00 TTL=128 ID=19588 PROTO=UDP SPT=17500 DPT=17500 LEN=119Sep 19 16:42:41 montague kernel: DROP_ASL_INPUT IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:1e:c9:bb:96:84:08:00 SRC=109.75.164.152 DST=109.75.164.255 LEN=139 TOS=0x00 PREC=0x00 TTL=128 ID=19587 PROTO=UDP SPT=17500 DPT=17500 LEN=119Sep 19 16:42:41 montague kernel: DROP_ASL_INPUT IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:1e:c9:bb:96:84:08:00 SRC=109.75.164.152 DST=255.255.255.255 LEN=139 TOS=0x00 PREC=0x00 TTL=128 ID=19586 PROTO=UDP SPT=17500 DPT=17500 LEN=119

Unread post by **mikeshinn** » Fri Sep 20, 2013 1:16 pm

montague kernel: DROP_ASL_INPUT IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:1e:c9:bb:96:84:08:00 SRC=109.75.164.152 DST=109.75.164.255 LEN=139 TOS=0x00 PREC=0x00 TTL=128 ID=19755 PROTO=UDP SPT=17500 DPT=17500 LEN=119Sep 19 16:43:12 montague kernel: DROP_ASL_INPUT IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:1e:c9:bb:96:84:08:00

Thats a broadcast packet, this means you havent configured your system to allow in broadcast packets. A linux server shouldnt need this, but if you do you'll need to add in custom rules for this. Please see the firewall documentation if you want to do this:

https://www.atomicorp.com/wiki/index.ph ... le_Manager

Atomicorp

Server aholed after ASL update?

Re: Server aholed after ASL update?

Re: Server aholed after ASL update?

Re: Server aholed after ASL update?

Re: Server aholed after ASL update?

Re: Server aholed after ASL update?

Re: Server aholed after ASL update?

Re: Server aholed after ASL update?